Date: Thu, 30 Nov 2017 02:32:37 +0200
From: Bindecy <contact@...decy.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-1000405: Linux kernel - "Dirty COW" variant on transparent
huge pages
Hello,
This is a brief overview of the vulnerability, more details are available
in the post referenced in the GitHub link.
==== Summary ====
In the "Dirty COW" vulnerability patch (CVE-2016-5195),
can_follow_write_pmd() was changed to take into account the new FOLL_COW
flag (8310d48b125d "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp").
We noticed a problematic use of pmd_mkdirty() in the touch_pmd() function.
touch_pmd() can be reached by get_user_pages(). In such case, the pmd will
become dirty. This scenario breaks the new can_follow_write_pmd()'s logic -
pmd can become dirty without going through a COW cycle - which makes
writing on read-only transparent huge pages possible.
This bug is not as severe as the original "Dirty cow" because an ext4 file
(or any other regular file) cannot be mapped using THP. Nevertheless, it
does allow us to overwrite read-only huge pages. For example, the zero huge
page and sealed shmem files can be overwritten (since their mapping can be
populated using THP). Note that after the first write page-fault to the
zero page, it will be replaced with a new fresh (and zeroed) thp.
Using this primitive, we successfully crashed several processes. A likely
consequence of overwriting the huge zero page is having improper initial
values inside large BSS sections. Common vulnerable pattern would be using
the zero value as an indicator that a global variable hasn't been
initialized yet.
Potentially, privileged processes using the mentioned pattern are
exploitable.
===== POC =====
The POC overwrites the zero-page of the system.
POC source on GitHub: https://github.com/bindecy/HugeDirtyCowPOC
===== Affected Versions =====
The POC was tested on Ubuntu 17.04 with kernel 4.10 and Fedora 27 with
kernel 4.13. Every kernel version with THP support and the Dirty COW patch
should be vulnerable (2.6.38 - 4.14).
RHEL claimed by the vendor as not affected.
Fixed on Nov 27, 2017:
https://github.com/torvalds/linux/commit/a8f97366452ed491d13cf1e44241bc0b5740b1f0
===== Timeline =====
22.11.17 — Initial report to security@...nel.org and
linux-distros@...openwall.org
22.11.17 — CVE-2017–1000405 was assigned
27.11.17 — Patch was committed to mainline kernel
29.11.17 — Public announcement
===== Credit =====
Eylon Ben Yaakov and Daniel Shapiro from Bindecy